ClawHub
Back to skill

Security audit

Bookmark Organize

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to organize Chrome bookmarks, but its bridge and extension expose unauthenticated ways to read and change bookmarks outside the promised confirmation flow.

Install only if you trust this publisher with full Chrome bookmark read/write access. Use it with the local bridge running only while needed, avoid changing the bridge URL, consider exporting bookmarks first, and remove or disable the extension and bridge after use unless a future version adds authentication, sender checks, and enforced confirmation for mutations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly depends on a local HTTP bridge and a bundled Chrome extension, which gives it network-capable behavior, yet the metadata does not declare any corresponding permission or capability boundary. That weakens reviewability and user consent because operators may believe the skill is only a prompt/workflow when it actually communicates with a local service and browser extension.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared behavior emphasizes conservative bookmark organization, but the observed capabilities include accepting external extension messages, maintaining a persistent bridge connection, and supporting a cleanup command that can delete bookmark folders. This mismatch is dangerous because it hides materially broader attack surface and destructive functionality behind a benign productivity description.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The extension registers chrome.runtime.onMessageExternal and forwards all received messages directly into handleBridgeMessage without authenticating the sender or restricting allowed extension IDs. That allows other local extensions or authorized external callers to read bookmark context and invoke apply/undo/cleanup operations, creating an unauthorized cross-extension command surface over sensitive browser data.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The cleanup_test_artifacts command exposes deletion functionality beyond the core documented bookmark-organization actions and can be invoked through the same message handlers. Even though it is limited to specific folder titles and skips non-empty folders, it still introduces an unnecessary destructive operation that increases attack surface and may delete legitimate user folders with matching names.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill description promises preview and explicit confirmation, but the executor itself applies and undoes bookmark changes immediately upon receiving bridge.apply or bridge.undo messages. If the surrounding caller does not enforce confirmation correctly, the extension provides no defense-in-depth and will perform destructive operations without any local user verification.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The bridge explicitly sets `Access-Control-Allow-Origin: *` and exposes state-changing POST endpoints without any authentication or CSRF protection. Any local webpage or process that can reach `127.0.0.1:8787` can invoke bookmark validation, apply, undo, or cleanup actions, which makes the local Chrome executor remotely drivable from untrusted web content running in the user's browser.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The WebSocket server accepts any client on `/ws` that sends `{type:"hello", role:"chrome-executor"}` and then treats that socket as the privileged executor. A malicious local process or webpage-capable client could register first or replace the legitimate executor, intercept forwarded requests, return forged responses, or manipulate bookmark operations through the bridge.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The preflight routine uses AppleScript and System Events to drive Chrome by screen coordinates and UI interaction, which gives the skill the ability to manipulate the browser outside the narrow bookmark-management surface it claims to need. Even though the current script targets the extensions page, GUI automation is a broad local-control primitive that can misfire, be repurposed for other actions, or trigger unintended clicks depending on window state, permissions, and UI layout.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The setup script invokes local subprocesses and uses AppleScript to activate Google Chrome and open chrome://extensions/, which expands its control beyond simple bookmark organization. In this skill’s context, that broader automation is risky because it nudges the user into enabling Developer Mode and loading an unpacked extension, creating a larger trust boundary and a path to browser-level access if the extension is unsafe or later modified.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the extension can apply bookmark actions and only keeps a best-effort undo record, but it does not clearly warn users that their bookmark data may be permanently modified or only partially recoverable. In a bookmark-management skill, this increases the risk of accidental destructive changes because users may overestimate the safety and reversibility of operations.

Missing User Warnings

High
Confidence
98% confidence
Finding
External messages can invoke validate, apply, undo, context, and cleanup operations, yet there is no user-facing warning, prompt, or sender authentication before bookmark modifications or deletions occur. In the context of a bookmark-management extension with broad bookmark permissions, this makes silent tampering and data exposure materially more dangerous because users would reasonably expect conservative, confirmed changes only.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The context handler returns the full normalized bookmark tree, and the extension also auto-connects to a WebSocket bridge, enabling bookmark metadata to be transmitted to another local service without any visible disclosure or consent flow in this code. Bookmark titles, folder structure, and URLs can reveal sensitive browsing interests, internal resources, or account links, so silent export is a privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The options page allows any entered WebSocket URL to be persisted and later used by the extension without validation, restriction, or a meaningful warning to the user. In this skill's context, the bridge appears to mediate privileged Chrome bookmark operations, so redirecting traffic to an attacker-controlled or unexpected endpoint could enable command interception, spoofed responses, or unauthorized browser actions through the local executor workflow.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The AppleScript looks for a Chrome window whose title contains a specific Chinese string, making the automation depend on one locale-specific UI label. This can cause the script to fail unpredictably or target the wrong window path, increasing the risk of unintended browser interaction when combined with subsequent blind coordinate clicks.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.install_untrusted_source

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bridges/preflight.mjs:149

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bridges/setup.mjs:31

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/run-repo-script.mjs:23

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bridges/ensure-live.mjs:6

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bridges/preflight.mjs:8

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
apps/chrome-executor-extension/manifest.json:12